J
Jeremy Sun
In the Domain DC GPO, I have changed some files system security and suddenly
the password policies failed.
The password policies settings are still in the GPO file. I can read the
settings from the AD users and Computers. However when I log onto a DC and
check the local security settings, it says "not defined" for the password
policies. All other policies are in effect and there is no error in the
event log.
When I look into the winlogon.log, all errors I can find is the
error 0 to send control flag 1 over to server
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND
and a file fail file system security items which is quite normal.
Any idea?
Any solution?
Thanks in advance.
----------------------------------------------------------------------------
--------
----------------------------------------------------------------------------
--------
It was defined. It is defined. In fact, most if not all items in the default
domain controller policy - machine are defined.
All policies including security, auditing, file system, registry, etc
reflect on the domain controller on the next update.
When I start the "local security setting" on one of the DCs it said those
settings are effective.
however password policy is marked "NOT defined" on the local although they
are defined in the policy.
In fact, not even the local policy on the DC is effective.
So I have something like this:
Local defined password age: 42 days
Policy defined password age: 90 days
Effective password age: not defined.
----------------------------------------------------------------------------
--------
----------------------------------------------------------------------------
--------
1) I have added a new DC to the domain
2) The DC did no take in the DC policies so I went though the DC policies
3) I removed some dupicated entries in the file system section
4) I removed all "Everyone" security right from the remain entries in the
file system section
5) I removed all "Server Operator" security right from the remain entries in
the file system section
6) The new DC is still not working, so I debug the winlogon and found that
it missed the %sysvol% variable
7) The new DC is finally taking in the DC policies, I found that the
password policies are not working
8) I found that the password policies are not working on other DCs as well
9) I am very sure that the password policies was working the week before
because I made some small adjustment
the password policies failed.
The password policies settings are still in the GPO file. I can read the
settings from the AD users and Computers. However when I log onto a DC and
check the local security settings, it says "not defined" for the password
policies. All other policies are in effect and there is no error in the
event log.
When I look into the winlogon.log, all errors I can find is the
error 0 to send control flag 1 over to server
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND
and a file fail file system security items which is quite normal.
Any idea?
Any solution?
Thanks in advance.
----------------------------------------------------------------------------
--------
must be defined there.
----------------------------------------------------------------------------
--------
It was defined. It is defined. In fact, most if not all items in the default
domain controller policy - machine are defined.
All policies including security, auditing, file system, registry, etc
reflect on the domain controller on the next update.
When I start the "local security setting" on one of the DCs it said those
settings are effective.
however password policy is marked "NOT defined" on the local although they
are defined in the policy.
In fact, not even the local policy on the DC is effective.
So I have something like this:
Local defined password age: 42 days
Policy defined password age: 90 days
Effective password age: not defined.
----------------------------------------------------------------------------
--------
----------------------------------------------------------------------------
--------
1) I have added a new DC to the domain
2) The DC did no take in the DC policies so I went though the DC policies
3) I removed some dupicated entries in the file system section
4) I removed all "Everyone" security right from the remain entries in the
file system section
5) I removed all "Server Operator" security right from the remain entries in
the file system section
6) The new DC is still not working, so I debug the winlogon and found that
it missed the %sysvol% variable
7) The new DC is finally taking in the DC policies, I found that the
password policies are not working
8) I found that the password policies are not working on other DCs as well
9) I am very sure that the password policies was working the week before
because I made some small adjustment